Implementing a vulnerability management process
This activity must be performed during the following phases:
Alpha Private betaVulnerabilities refer to weaknesses in digital systems. You need to address any known vulnerabilities as soon as possible to reduce the potential for exploitation. For example an adversary to exploiting them, causing damage and harm to DfE and end users.
Vulnerabilities can arise for several reasons, including:
- system and security misconfigurations
- software weaknesses
- user error
Establishing a vulnerability management process ensures project teams can protect systems and data, reducing risk to DfE. It forms a key input to security assurance as part of Secure by Design.
Who is involved in this?
Your vulnerability management process should be:
- created by your project's DevOps and technical architecture team with direction from security professionals. This helps to ensure any approach is feasible and meets your project's security needs
- discussed with your Senior Responsible Officer (SRO) or service owner. Allowing them to agree the proposed actions related to vulnerabilities are appropriate and proportionate
- performed in close collaboration with development teams. So they are aware of expectations when it comes to resolving vulnerabilities
You should get support from the Cyber and Information Security Division (CISD) Vulnerability Management lead when completing this activity.
Teams should also be aware of the stakeholders within the DfE organisational vulnerability remediation and escalation procedures.
When should I define a vulnerability management process?
Your approach to vulnerability management must be:
- defined at the alpha stage of delivery, before you start discovering vulnerabilities
- integrated into your project delivery lifecycle
- reviewed on a regular basis and when the service evolves, to ensure it remains fit for purpose as part of continual improvement
Vulnerability management is a critical input to security risk management and threat modelling. It influences the risk held by digital systems and how adversaries may seek to attack them.
Key considerations for project teams
Project teams must follow the Vulnerability Management policy to ensure alignment with DfE processes. This includes:
- aligning with DfE vulnerability escalation process, clarifying stakeholder responsibilities and communication channels
- awareness of response and mitigation timeframes, with the necessary resources
- tracking vulnerabilities in a risk register, assigning owners and integrating into project planning
The Continuous Assurance tool and Cyber and Information Security Division (CISD) Vulnerability Disclosure Program (VDP) can assist you in establishing a vulnerability management process.
Speak to CISD if you need help.
Vulnerability management performed by CISD
The CISD Vulnerability Management team will check projects via GitHub and using the Continuous Assurance platform. This is intended to supplement proactive vulnerability management performed by teams themselves.
You need to engage promptly with any CISD requests as soon as possible if they detect a vulnerability or inform you of a reported vulnerability.